PfSense and Cisco 1841 site-to-site help?
-
I want to test site-to-site connection between pfSense and cisco 1841 (c1841-adventerprisek9-mz.124-24.T3) using IPSec. I have a friend that wants to help me with his cisco 1841, but something is wrong and tunnel does not work.
Configuration:
pfSense (LAN: 192.168.130.0/24, WAN: 93.152.XX.XX)
– internet --
cisco 1841 (LAN: 10.100.100.0/24, WAN: 95.111.XX.XX)pfSense log (in reverse order):
Aug 18 12:53:31 racoon: [Cisco]: ERROR: 95.111.xx.xx give up to get IPsec-SA due to time up to wait. Aug 18 12:53:01 racoon: ERROR: Message: '4 '. Aug 18 12:53:01 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Aug 18 12:53:01 racoon: [Cisco]: INFO: initiate new phase 2 negotiation: 93.152.xx.xx[0]<=>95.111.xx.xx[0] Aug 18 12:52:47 racoon: [Cisco]: ERROR: 95.111.xx.xx give up to get IPsec-SA due to time up to wait. Aug 18 12:52:17 racoon: ERROR: Message: '4 '. Aug 18 12:52:17 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Aug 18 12:52:17 racoon: [Cisco]: INFO: initiate new phase 2 negotiation: 93.152.xx.xx[500]<=>95.111.xx.x[500] Aug 18 12:52:16 racoon: [Cisco]: INFO: ISAKMP-SA established 93.152.xx.xx[500]-95.111.xx.x[500] spi:78f9f6b8ed3a4e56:d4a1d4dc9bf1516f Aug 18 12:52:16 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Aug 18 12:52:16 racoon: INFO: received Vendor ID: DPD Aug 18 12:52:16 racoon: INFO: received Vendor ID: CISCO-UNITY Aug 18 12:52:16 racoon: INFO: begin Identity Protection mode. Aug 18 12:52:16 racoon: [Cisco]: INFO: initiate new phase 1 negotiation: 93.152.xx.xx[500]<=>95.111.xx.x[500] Aug 18 12:52:16 racoon: [Cisco]: INFO: IPsec-SA request for 95.111.xx.x queued due to no phase1 found. Aug 18 12:40:25 racoon: [Self]: INFO: 93.152.xx.xx[500] used as isakmp port (fd=18) Aug 18 12:40:25 racoon: [Self]: INFO: 192.168.12.254[500] used as isakmp port (fd=17) Aug 18 12:40:25 racoon: [Self]: INFO: 192.168.130.254[500] used as isakmp port (fd=16) Aug 18 12:40:25 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=15) Aug 18 12:40:25 racoon: [Self]: INFO: 10.10.11.2[500] used as isakmp port (fd=14) Aug 18 12:40:25 racoon: INFO: unsupported PF_KEY message REGISTER
pfSense settings:
Interface: WAN
Local subnet: LAN subnet
Remote subnet: 10.100.100.0/24
Remote gateway: 95.111.xx.xx
Phase1:
Negotiation mode: main
My identifier: My IP Address
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Authentication method: Pre-shared key
Pre-Shared Key: xxxxPhase 2
Protocol: ESP
Encryption algorithms: 3DES
Hash algorithms: SHA1
PFS key group: 2
Lifetime: 3600Cisco 1841 configuration:
cisco_router_rtr#sh cry ipsec sa interface: FastEthernet0/1 Crypto map tag: vpn, local addr 95.111.xx.xx protected vrf: (none) local ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.130.0/255.255.255.0/0/0) current_peer 93.152.xx.xx port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 45, #recv errors 0 local crypto endpt.: 95.111.xx.xx, remote crypto endpt.: 93.152.xx.xx path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none
-
The problem was on Cisco side - when pfSense site-to-site is not the first connection in config file tunel does not work.